If one wanted to self host, would self hosted BitWarden fit the bill? Not a BitWarden user, but presumably could create entries with just the OTP codes to achieve this.
@ahnlak said:
I can't decide if a self-hosted 2FA web app is a brilliantly cunning plan, or a crushingly bad one.
Hosted on public server, BAD idea.
Hosted on local network with IP filtering, OK idea.
Hosted on VM on your daily driver with NAT and no internet access/port forwarding, good idea.
I am in search for a replacement... I use my laptop running windows as my daily driver in sync with my phone (IOS and Android)... This looks good? Any thoughts/ reviews?
I am in search for a replacement... I use my laptop running windows as my daily driver in sync with my phone (IOS and Android)... This looks good? Any thoughts/ reviews?
I am in search for a replacement... I use my laptop running windows as my daily driver in sync with my phone (IOS and Android)... This looks good? Any thoughts/ reviews?
I haven't used the yubico app. I usually use google authenticator as my TOTP solution and yubikey as the primary login method. That way, if I am outside or using a different PC, i use the totp login.
Forgot to mention, all yubico comes with a desktop/mobile app and yubico hardware tokens can be reprogrammed by the apps. You need to plug in in any usb port (on your laptop/desktop) for that to happen. Did not try it on phone.
Oh so I need to have a yubikey? Cannot use without it? How is the app sync functionality?
There is no app sync functionality. A YubiKey solution errs on the side of absolute security, the secret key is loaded one way, one time from the QR code stage, and cannot be retrieved or copied afterwards, and the code to generate the 6 digit number is factory installed and cannot be tampered with. The Yubico Authenticator app is merely a GUI front end to feed the key the time and display the digits it then generates internally.
It's a great solution, easy to use and an order of magnitude more secure than a software app or trusting a third party service. Unlike FIDO/U2F, TOTP is still phishable though! so best to used FIDO where offered, which the YubiKey will do too.
I do keep copies of the secret keys from the registration screen(s) as backup, I use a KeePass file kept offline, but you could just print off the QR codes at the time too. KeePass can generate the TOTP itself in an emergency and only becomes a risk (relatively speaking) if actively used.
Isn’t a bad idea to have an app that will autofill in your browser to help with this. If the URL isn’t recognised, the TOTP code wouldn’t auto populate and that’s a good trigger to double check what you’re logging into. In most cases the TOTP will be in line with or after a username or password prompt, so the autofill, or lack thereof, from a password managers probably something to watch out for if you decide to manually fill in a TOTP code.
This looks promising. But I could not find info whether it allows importing of codes in bulk and export later if they do another Authy stunt in future?
Comments
Fill the field named: "One-time code"
https://keepassxc.org/docs/KeePassXC_UserGuide#_adding_totp_to_an_entry
Anyone come across any cloud based offering ?
It would be interesting to find a provider that can be trusted for your data unless e2e is provided and vetted
I can't decide if a self-hosted 2FA web app is a brilliantly cunning plan, or a crushingly bad one.
If one wanted to self host, would self hosted BitWarden fit the bill? Not a BitWarden user, but presumably could create entries with just the OTP codes to achieve this.
Hosted on public server, BAD idea.
Hosted on local network with IP filtering, OK idea.
Hosted on VM on your daily driver with NAT and no internet access/port forwarding, good idea.
Websites have ads, I have ad-blocker.
There is a way to export from Authy. I recently exported from Authy to Vaultwarden following this link and was fairly painless.
https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d958c93
Thanks for that; it finally prompted me to export my data and get it into OTPClient.
And I switched from bitwarden to vaultwarden since it has totp for free!
Websites have ads, I have ad-blocker.
Anyone used https://www.yubico.com/products/yubico-authenticator/ ?
I am in search for a replacement... I use my laptop running windows as my daily driver in sync with my phone (IOS and Android)... This looks good? Any thoughts/ reviews?
Ya, I use it regularly and highly recommend the "type C" version:
https://www.yubico.com/sg/product/yubikey-5-series/yubikey-5c-nano/
Websites have ads, I have ad-blocker.
Oh so I need to have a yubikey? Cannot use without it? How is the app sync functionality?
I haven't used the yubico app. I usually use google authenticator as my TOTP solution and yubikey as the primary login method. That way, if I am outside or using a different PC, i use the totp login.
Forgot to mention, all yubico comes with a desktop/mobile app and yubico hardware tokens can be reprogrammed by the apps. You need to plug in in any usb port (on your laptop/desktop) for that to happen. Did not try it on phone.
Websites have ads, I have ad-blocker.
There is no app sync functionality. A YubiKey solution errs on the side of absolute security, the secret key is loaded one way, one time from the QR code stage, and cannot be retrieved or copied afterwards, and the code to generate the 6 digit number is factory installed and cannot be tampered with. The Yubico Authenticator app is merely a GUI front end to feed the key the time and display the digits it then generates internally.
It's a great solution, easy to use and an order of magnitude more secure than a software app or trusting a third party service. Unlike FIDO/U2F, TOTP is still phishable though! so best to used FIDO where offered, which the YubiKey will do too.
I do keep copies of the secret keys from the registration screen(s) as backup, I use a KeePass file kept offline, but you could just print off the QR codes at the time too. KeePass can generate the TOTP itself in an emergency and only becomes a risk (relatively speaking) if actively used.
Isn’t a bad idea to have an app that will autofill in your browser to help with this. If the URL isn’t recognised, the TOTP code wouldn’t auto populate and that’s a good trigger to double check what you’re logging into. In most cases the TOTP will be in line with or after a username or password prompt, so the autofill, or lack thereof, from a password managers probably something to watch out for if you decide to manually fill in a TOTP code.
This looks promising. But I could not find info whether it allows importing of codes in bulk and export later if they do another Authy stunt in future?
Thnx